Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
642
Views
0
Helpful
0
Replies

PPTP + Cisco CGN

Konstantin Vinogradov
Level 1
Level 1

‎02-08-2016 01:11 AM - edited ‎03-01-2019 02:59 PM

Dear Network Engineers,

I need some advice with a problem. I use Carrier Gateway NAT on Cisco ASR1K to provide Internet access for customers. Some of them want to use PPTP to get access to the VPN-servers in the Internet. Main traffic's forwarded through NAT with the overload option enabled. It allows to translate multiple customers to the same global IP-address.

But PPTP doesn't work through "overloaded" NAT because sometimes control TCP-session to port 1723 and GRE-tunnel are translated to the different global IP-address and user can't be authenticated on the VPN-server. I tried to create additional global IP-addresses pool to translate PPTP traffic only (TCP/1723 and GRE) without overload option. It works fine till this pool become completely exhausted.

Someone permanently scans our global IP-addresses from the Internet looking for open exploits. Every translations captures packet from Internet every 1-2 minutes regardless customer is using this translation now or not. So "non-overloaded" translation is never become expired.

To solve this problem Cisco provides application layer (ALG) gateway features, but PPTP ALG doesn't work with CGN NAT. So I had to disable it.

How to fix this problem and to allow out customers to use PPTP though NAT?

Thank!

2 people had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents